[SOLVED]New server - Client sent malformed Host header

[boby]

Hi,

My hosting company had to move my web page to another server because I was not getting css style working in the admin area. Now it is fine, i have got a really great admin control.
But when I ticked the box 'Enable Site Down Message' in Global setting' in order to get back my site running, i got the following message:
"Bad Request
Your browser sent a request that this server could not understand.
Client sent malformed Host header"
I an getting the same message if I want to clear the cache. It seems that only 'global setting' behave like that.
What could have been changed when moving to a new server? the IP?
I don't know where to check it out
Thank for any help!!!

Boby

[Pierre M.]

Please follow forum rules : tell your version, the admin browsers you have tested with, the strangeness in http logS...

Pierre M.

[manuel]

I'm running CMS Made Simple 1.5.2 "Caguas"
Browsers tested: IE 7 & FF 3.0.5
server: php safe mode disabled

On many content or configuration pages (but not all), I keep receiving the following message when trying to save...


Bad Request
Your browser sent a request that this server could not understand.
Client sent malformed Host header
--------------------------------------------------------------------------------
Web Server at ###############.be


What could be causing this?

Greetings,
Manuel

[Pierre M.]

Hello,

what do you see in the http error log when you trigger this error ?
Please use the "System Info" to report here.
Which character sets are you using ?
What are your non out of the box settings ?

Pierre M.

[manuel]

Dear Pierre,

Thanks for your quick reply!

I don't see anything in the http error logs but I did find something in the mod_security audit log!
After disabling "HTTP Response Splitting" in the mod_security configuration, the error is gone...

I guess the question now is wether my cmsms installs have been hacked or not? Can I safely disable the "HTTP Response Splitting"?

How does cmsms normally work with mod_security HTTP Response Splitting? Is this normally an issue?
Is there anyone with a similar story/experience?

Greetings,
Manuel

[Pierre M.]

Hello again Manuel,

thank you for reporting so clearly. As always logs help diagnose the problem and find solutions.

I woudn't say your CMSms install has been cracked. I woud think your hosting provider's mod_security default policy is too strict for CMSms. To be sure talk with your hosting provider.

You can find similar experiences by searching the forum with google.

Pierre M.

[manuel]

Dear Pierre,

The rule within mod_security that was causing the "400 Bad Request" error is part of the default settings of mod_security.
As a consequence I believe anyone running cmsms and mod_security with default settings will experience this problem.
The rule that needs to be changed (or disabled) is "HTTP Response Splitting" and can be found in the modsecurity_crs_40_generic_attacks.conf file. (don't forget to restart apache after modifying

I'm glad I can confidently provide you with the cause and solution for this problem as my small contribution to this great content management system!

Greetings,
Manuel

[Pierre M.]

I'm glad I can confidently provide you with the cause and solution for this problem as my small contribution to this great content management system!

Nice
You can try put this in the troubleshooting section in the wiki.
Have fun with CMSms

Pierre M.

[boby]

Hi all,

Thanks for giving the solution. I did give it to my host provider and they said three times that they disabled the http splitting. But I keep receiving the 400 bad request when I want to change my template or the meta information or if I want to clear the cache. Hopefully I am still able to change the content or stylesheet.

My error log is giving me the following:
[Mon Feb 09 10:49:21 2009] [error] [client 189.133.16.80] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)" at ARGS:metadata. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "213"] [id "950911"] [msg "HTTP Response Splitting Attack"] [data "<meta"] [severity "ALERT"] [hostname "voluntariado.natate.org"] [uri "/admin/siteprefs.php"] [unique_id "JvmJGsmCTyAAABaVwJwAAAAk"]

I guess response splitting is still active. My Cmsms was working before they moved my site to a new server. I have tried with various cmsms version, including the 1.5.2 with the standard configuration. No way to make it work.
I have been told today that the problem was not on their side but because of cmsms. This is quite strange because I have other 3 cmsms on another server of theirs working without any problem.

Could you confirm that the problem is not with cmsms but because of their server configuration. I'll spend other hours on the phone with them I guess!
Thank you very much

[boby]

The host provider left a blank space somewhere!!!
It is solved!!!!
Thanks guys

[Pierre M.]

Nice it is solved

Please put the [solved] in the title of your first message of the thread.
Have fun with CMSms

Pierre M.

[manuel]

Hi Sebastiaan,

You should ask your host to disable the following in mod_security:

The rule that needs to be changed (or disabled) is "HTTP Response Splitting" and can be found in the modsecurity_crs_40_generic_attacks.conf file. (don't forget to restart apache after modifying

Greetings,
Manuel